Managing system role assignments in Venafi Configuration Console

Effective management of your identities is a team effort; not one administrator needs to be in charge of everything. Venafi Platform allows you to assign system roles to specific users or groups so they can have the correct access to perform the tasks they need to do (without having to give all users access to everything).

The best way to manage system role assignments is in the Venafi Configuration Console (VCC), as described below. There is also limited ability to see some role information in the web console using the Identities inventory.

Roles can be assigned directly to a user's account, or they can be assigned to a group (either a local group, or an LDAP group). For example, suppose you have an internal help desk who is getting calls about users who accidentally delete certificates. You can add the Recycle Bin Administrator role to the LDAP group that contains all your help desk employees. Whenever a user is onboarded to the help desk team, they'll inherit this role in Venafi Platform, and when they leave the help desk team, they'll automatically lose it.

It can get complicated quickly if you are assigning roles to both individuals and groups. You may remove a role from a user account, but if the user is also part of a group with that role, the user's effective permissions would remain unchanged.

We recommend that the best practice is to assign the roles to groups, and let group management take care of permission inheritance.

For more information about roles, see Understanding system roles.

To add roles to users or groups using VCC

  1. As a system administrator, log in to VCC using a remote session to your server, then expand the System Roles node.
  2. In the Actions panel, click the Add button for the role you want to be added to a user or group.
  3. Locate the user or group, then click the user or group name.
  4. Click Select.

The user appears in the System Roles list with the role added. If a user has multiple roles, they will appear in the list once for each role added.

To remove roles from users or groups using VCC

  1. As a system administrator, log in to VCC using a remote session to your server, then expand the System Roles node.

  2. Locate the user or group that has the role to be removed.

    TIP  Set the Group By option to Type to quickly see which identities have been assigned to which roles.

  3. In the Actions panel, click Delete.

About the Allow Team Creation grant

The Allow Team Creation "role" is actually a grant, not a system role. It can be seen and managed in the web console. The specific steps for adding roles and grants in Policy Tree can be found in Managing role and grant assignments in Policy Tree.